So we are trying to test some of our defenses and one of our IR guys asked if I can try to hijack an active HTTP session on my system and try to send other traffic through that session. We use authenticating proxies with no single sign-on so all web traffic requires authentication. We are trying to see if an app can hide/cloak/piggyback on an active authenticated session. Any ideas? Can something be done using netcat? My skills are a bit weak in this area and I am exciting to learn something new. It sounded like a fun challenge.

Thanks guys, I'll take a look through those. I guess what we are trying to test is the following...

Malicious software gets on victim system.

Victim doesn't know and software is not exhibiting any strange behavior so scanners and IDS are not picking it up.

Software needs to get out to internet - oh snap authenticating proxy what shall I do???

oh hey, you have an active IE session open already, can I borrow that? Thanks!

And boom goes the dynamite. Now given if the above is possible our next challenge is how can we detect such traffic? I will fiddle around with Burp/Paros as well, either way they look like fun. Sadly Gray-world is blocked here, but I can take a look at that later at home.

I guess your scenario is somehow feasible, the malware creates some hooks, injection some extra data in your session. The only hurdle I see is that the (legit) web server the user is communicating with would need to contain some other piece of malware as well, in order to extract the data from the covert channel.

Imagine a rogue addon in your browser (e.g. FireFox), which sends off data to a remote (unauthorized) 3rd party, every time you log into a website, etc. (This has been seen before.)

Another scenario could be that malware had altered the browser, so that not only would you be able to browse websites, but e.g., a trojan would simultaneously send traffic across the session being in use (or just re-using logins whenever it finds one if possible and one-time tokens are not in use).

In a simple case, the unauthorized traffic could go through via "xmlrpc".

Ettercap has the functionality to inject data into a stream, but I haven't really tested this, but there's a button you can try (It's when you perform Man in the Middle attacks.

But in theory yes it's possible. But there's several layers this could occur on, ranging from the physical level (well, almost), and onto the application layer (the web browser, and yes I'm referring to the OSI model )

Excellent insight MaXe! I appreciate the input. Friend of mine and I were bouncing around the idea of maybe not using web traffic but using the TCP-over-DNS method. Of course we need a DNS server out the outside under our control, that should not be difficult to accomplish. The client side may be a bit more of a challenge.

If anything I got the gears turning on this. And in theory just about anything is possible. I just need more time in the day to work on this. Unfortunately most of this has to be done when I am at home due to certain restrictions at work. If I come across something I'll be sure to update.

3xban wrote:Excellent insight MaXe! I appreciate the input. Friend of mine and I were bouncing around the idea of maybe not using web traffic but using the TCP-over-DNS method. Of course we need a DNS server out the outside under our control, that should not be difficult to accomplish. The client side may be a bit more of a challenge.

If anything I got the gears turning on this. And in theory just about anything is possible. I just need more time in the day to work on this. Unfortunately most of this has to be done when I am at home due to certain restrictions at work. If I come across something I'll be sure to update.

No problem, and nice ideas you're bouncing around You should know, that some companies filter all outgoing ICMP and DNS traffic, so it has to pass by a proxy server first, while some companies, blindly lets all DNS and ICMP traffic through.

What can you use these open and unprotected data tunnels for?

Trojan data of course! (During an ethical pentest assignment that is hehe)

Most covert channels via ICMP, seems to be using almost standard headers but instead of the usual contents, it's actual data inside! The ICMP channel often seems to work with ICMP ECHO and REPLY messages, which can probably even contain CRC values, etc. making the data transfer somewhat reliable.

Covert DNS Channels, uses subdomain wildcards and a DNS server out on the Internet to relay traffic back and forth. It's also a brilliant example of covert channels.

I definitely recommend taking a few looks at the resources I've gathered below.

Update: Oh yeah, I forgot to mention that some SPI (Stateful Packet Inspection) firewalls, will most likely drop this kind of traffic. Still, even if the target company does have a firewall that supports this feature, it may not be turned on or configured correctly.

Deep packet inspection chews up a ton of firewall resources so it's not uncommon to only see that configured on assets in the DMZ or not at all. Stateful inspection is much easier to bypass. I'm not a firewall guru but my understanding is that SPI is only looking at state, ports etc, so a legitimate outbound connection tunneling malicious traffic may not be flagged unless the firewall is actually doing DPI. Application layer firewalls are often used for this but I see more "firewalls" being sold these days with this functionality built-in that just needs to be enabled.